diff --git a/ph-xml/src/main/java/com/helger/xml/XMLFactory.java b/ph-xml/src/main/java/com/helger/xml/XMLFactory.java
index 72a4d8ef5..9e07c4bce 100644
--- a/ph-xml/src/main/java/com/helger/xml/XMLFactory.java
+++ b/ph-xml/src/main/java/com/helger/xml/XMLFactory.java
@@ -134,32 +134,25 @@ private static void _setFeature (@Nonnull final DocumentBuilderFactory aFactory,
}
}
- /**
- * Create a new {@link DocumentBuilderFactory} using the defaults defined in
- * this class ({@link #DEFAULT_DOM_NAMESPACE_AWARE},
- * {@link #DEFAULT_DOM_VALIDATING} ,
- * {@link #DEFAULT_DOM_IGNORING_ELEMENT_CONTENT_WHITESPACE},
- * {@link #DEFAULT_DOM_EXPAND_ENTITY_REFERENCES},
- * {@link #DEFAULT_DOM_IGNORING_COMMENTS} and
- * {@link #DEFAULT_DOM_COALESCING}.).
- *
- * @return Never null.
- */
- @Nonnull
- public static DocumentBuilderFactory createDefaultDocumentBuilderFactory ()
+ public static void defaultCustomizeDocumentBuilderFactory (@Nonnull final DocumentBuilderFactory aFactory)
{
- // Secure processing is enabled by default since JDK 8
- final DocumentBuilderFactory aFactory = DocumentBuilderFactory.newInstance ();
+ /*
+ * Secure processing is enabled by default since JDK 8. See class
+ * "com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl"
+ * field "fSecure" is initially "true". However, if someone uses an external
+ * XML parser library (like Xerces) it might be disabled.
+ */
+ _setFeature (aFactory, EXMLParserFeature.SECURE_PROCESSING, true);
_setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
+ _setFeature (aFactory, EXMLParserFeature.LOAD_EXTERNAL_DTD, false);
aFactory.setNamespaceAware (DEFAULT_DOM_NAMESPACE_AWARE);
aFactory.setValidating (DEFAULT_DOM_VALIDATING);
aFactory.setIgnoringElementContentWhitespace (DEFAULT_DOM_IGNORING_ELEMENT_CONTENT_WHITESPACE);
aFactory.setExpandEntityReferences (DEFAULT_DOM_EXPAND_ENTITY_REFERENCES);
aFactory.setIgnoringComments (DEFAULT_DOM_IGNORING_COMMENTS);
aFactory.setCoalescing (DEFAULT_DOM_COALESCING);
-
try
{
aFactory.setXIncludeAware (DEFAULT_DOM_XINCLUDE_AWARE);
@@ -168,6 +161,24 @@ public static DocumentBuilderFactory createDefaultDocumentBuilderFactory ()
{
// Ignore
}
+ }
+
+ /**
+ * Create a new {@link DocumentBuilderFactory} using the defaults defined in
+ * this class ({@link #DEFAULT_DOM_NAMESPACE_AWARE},
+ * {@link #DEFAULT_DOM_VALIDATING} ,
+ * {@link #DEFAULT_DOM_IGNORING_ELEMENT_CONTENT_WHITESPACE},
+ * {@link #DEFAULT_DOM_EXPAND_ENTITY_REFERENCES},
+ * {@link #DEFAULT_DOM_IGNORING_COMMENTS} and
+ * {@link #DEFAULT_DOM_COALESCING}.).
+ *
+ * @return Never null.
+ */
+ @Nonnull
+ public static DocumentBuilderFactory createDefaultDocumentBuilderFactory ()
+ {
+ final DocumentBuilderFactory aFactory = DocumentBuilderFactory.newInstance ();
+ defaultCustomizeDocumentBuilderFactory (aFactory);
return aFactory;
}
@@ -440,6 +451,18 @@ private static void _setFeature (@Nonnull final SAXParserFactory aFactory,
}
}
+ public static void defaultCustomizeSAXParserFactory (@Nonnull final SAXParserFactory aFactory)
+ {
+ _setFeature (aFactory, EXMLParserFeature.SECURE_PROCESSING, true);
+ _setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
+ _setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
+ _setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
+ _setFeature (aFactory, EXMLParserFeature.LOAD_EXTERNAL_DTD, false);
+ aFactory.setNamespaceAware (DEFAULT_SAX_NAMESPACE_AWARE);
+ aFactory.setValidating (DEFAULT_SAX_VALIDATING);
+ aFactory.setXIncludeAware (DEFAULT_SAX_XINCLUDE_AWARE);
+ }
+
@Nonnull
public static SAXParserFactory createDefaultSAXParserFactory ()
{
@@ -454,12 +477,7 @@ public static SAXParserFactory createDefaultSAXParserFactory ()
// Java 8 method - see #41
aFactory = SAXParserFactory.newInstance ();
}
- _setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
- _setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
- _setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
- aFactory.setNamespaceAware (DEFAULT_SAX_NAMESPACE_AWARE);
- aFactory.setValidating (DEFAULT_SAX_VALIDATING);
- aFactory.setXIncludeAware (DEFAULT_SAX_XINCLUDE_AWARE);
+ defaultCustomizeSAXParserFactory (aFactory);
return aFactory;
}
@@ -482,19 +500,26 @@ private static void _setFeature (@Nonnull final TransformerFactory aFactory,
}
}
+ public static void defaultCustomizeTransformerFactory (@Nonnull final TransformerFactory aFactory)
+ {
+ if (false)
+ {
+ // This prevents to use XSLT includes
+ _setFeature (aFactory, EXMLParserFeature.SECURE_PROCESSING, true);
+ }
+ _setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
+ _setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
+ _setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
+ _setFeature (aFactory, EXMLParserFeature.LOAD_EXTERNAL_DTD, false);
+ }
+
@Nonnull
public static TransformerFactory createDefaultTransformerFactory ()
{
try
{
final TransformerFactory aFactory = TransformerFactory.newInstance ();
- if (false)
- {
- // Not needed for Java 11
- _setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
- _setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
- _setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
- }
+ defaultCustomizeTransformerFactory (aFactory);
return aFactory;
}
catch (final TransformerFactoryConfigurationError ex)